MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae4d46e3c772093c5ad9ee27e412f11e6be6923a1efeca80b1dba5d1fef8f62e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RaccoonStealer


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae4d46e3c772093c5ad9ee27e412f11e6be6923a1efeca80b1dba5d1fef8f62e
SHA3-384 hash: 767cf967d6fe522e571115d83071a2cc4f1ac5a8d9aa38430755f27023b9500e817f91ecfc2d35e73bbabd100406d4d8
SHA1 hash: 0fce1d74469b880820c8e6b2d52e4e0a206ee795
MD5 hash: 5ffe281957d81c218b5851ea276ed82b
humanhash: single-georgia-mobile-saturn
File name:5ffe281957d81c218b5851ea276ed82b.exe
Download: download sample
Signature RaccoonStealer
Create hunting rule
File size:172'032 bytes
First seen:2021-10-11 08:07:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4ae1930ab190d7663a058f50c2e04145 (2 x RaccoonStealer, 1 x GuLoader)
ssdeep 3072:wZEY2gr8i6rps8ClR8QA9QKpuhogIiRy0NcKeSG:Ae28i6rib8TQWWIeyNWG
Threatray 6'338 similar samples on MalwareBazaar
TLSH T149F3066196B0FC16D09509F2F92194FB8B9C2E31FE6112DBFA807F0A35FB3A14215B56
File icon (PE):PE icon
dhash icon 1e5e9a5cc4a43924 (1 x RaccoonStealer)
Reporter abuse_ch
Tags:exe RaccoonStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5ffe281957d81c218b5851ea276ed82b.exe
Verdict:
No threats detected
Analysis date:
2021-10-11 08:19:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/69bdd9db-ca14-404c-90d8-44b3cdb7951a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/196512/
Detection(s):
Win.Malware.Generic-9901557-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6163f0e91c2d58ba74016762/reports/7576d62d-8eaf-42d0-a598-0689f5115dd2/overview
Result
Threat name:
RemCom RemoteAdmin Mimikatz GuLoader AES
Create hunting rule
Detection:
malicious
Classification:
troj.evad.rans.spyw.expl.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/868116
Signature
Antivirus detection for URL or domain
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
Contains functionality to hide user accounts
Contains VNC / remote desktop functionality (version string found)
Deletes shadow drive data (may be related to ransomware)
Detected Hacktool Mimikatz
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found string related to ransomware
Found strings related to Crypto-Mining
Found Tor onion address
GuLoader behavior detected
Hides threads from debuggers
Malicious sample detected (through community Yara rule)
May drop file containing decryption instructions (likely related to ransomware)
May enable test signing (to load unsigned drivers)
May modify the system service descriptor table (often done to hook functions)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Yara detected AESCRYPT Ransomware
Yara detected AllatoriJARObfuscator
Yara detected AntiVM3
Yara detected AveMaria stealer
Yara detected Babuk Ransomware
Yara detected BitCoin Miner
Yara detected BlackMoon Ransomware
Yara detected Cerber ransomware
Yara detected Clop Ransomware
Yara detected Codoso Ghost
Yara detected Coinhive miner
Yara detected Conti ransomware
Yara detected Costura Assembly Loader
Yara detected Cryptolocker ransomware
Yara detected Delta Ransomware
Yara detected Discord Token Stealer
Yara detected Generic Dropper
Yara detected Gocoder ransomware
Yara detected GoGoogle ransomware
Yara detected Growtopia
Yara detected GuLoader
Yara detected Hancitor
Yara detected MegaCortex Ransomware
Yara detected Mimikatz
Yara detected Mini RAT
Yara detected MSILLoadEncryptedAssembly
Yara detected Nemty Ransomware
Yara detected Njrat
Yara detected Parallax RAT
Yara detected PasteDownloader
Yara detected Phorpiex smb component
Yara detected Predator
Yara detected Ragnarok ransomware
Yara detected RansomwareGeneric
Yara detected RevengeRAT
Yara detected Rhino ransomware
Yara detected Ryuk ransomware
Yara detected Snatch Ransomware
Yara detected UACMe UAC Bypass tool
Yara detected Valak
Yara detected VB6 Downloader Generic
Yara detected Voidcrypt Ransomware
Yara detected Wannacry ransomware
Yara detected WannaRen ransomware
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1603 Sample: 1gPmnCR2PX.exe Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 56 sopage.duckdns.org 2->56 58 telemirror.top 2->58 60 prda.aadg.msidentity.com 2->60 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Multi AV Scanner detection for domain / URL 2->70 72 Found malware configuration 2->72 74 64 other signatures 2->74 7 mpam-728dfe11.exe 351 2->7         started        11 1gPmnCR2PX.exe 1 2->11         started        13 mpam-796ed98e.exe 7 2->13         started        15 2 other processes 2->15 signatures3 process4 file5 42 C:\Windows\...\mpuxagent.dll.mui, PE32 7->42 dropped 44 C:\Windows\...\ProtectionManagement.dll.mui, PE32 7->44 dropped 46 C:\Windows\...\MpEvMsg.dll.mui, PE32 7->46 dropped 54 193 other files (none is malicious) 7->54 dropped 84 Sample is not signed and drops a device driver 7->84 17 MpSigStub.exe 3 14 7->17         started        86 Tries to detect Any.run 11->86 88 Hides threads from debuggers 11->88 19 1gPmnCR2PX.exe 11->19         started        48 C:\Windows\ServiceProfiles\...\mpavdlta.vdm, PE32+ 13->48 dropped 50 C:\Windows\ServiceProfiles\...\mpasdlta.vdm, PE32+ 13->50 dropped 52 C:\Windows\ServiceProfiles\...\MpSigStub.exe, PE32+ 13->52 dropped 24 MpSigStub.exe 4 13->24         started        26 conhost.exe 15->26         started        28 conhost.exe 15->28         started        signatures6 process7 dnsIp8 62 sopage.duckdns.org 23.146.242.85, 49815, 80 VDI-NETWORKUS Reserved 19->62 64 5.181.156.229, 49817, 80 MIVOCLOUDMD Moldova Republic of 19->64 66 telemirror.top 104.21.31.246, 49816, 80 CLOUDFLARENETUS United States 19->66 30 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 19->30 dropped 32 C:\Users\user\AppData\...\vcruntime140.dll, PE32 19->32 dropped 34 C:\Users\user\AppData\...\ucrtbase.dll, PE32 19->34 dropped 40 56 other files (none is malicious) 19->40 dropped 76 Tries to steal Mail credentials (via file access) 19->76 78 Tries to harvest and steal browser information (history, passwords, etc) 19->78 80 Tries to detect Any.run 19->80 82 Hides threads from debuggers 19->82 36 C:\Windows\ServiceProfiles\...\mpavbase.vdm, PE32+ 24->36 dropped 38 C:\Windows\ServiceProfiles\...\mpasbase.vdm, PE32+ 24->38 dropped file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae4d46e3c772093c5ad9ee27e412f11e6be6923a1efeca80b1dba5d1fef8f62e/
Threat name:
Win32.Trojan.RemcosRAT
Create hunting rule
Status:
Malicious
First seen:
2021-10-11 08:08:12 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vzguny6hoietywwz5yt6iexrdzv6ner2d37mvafr3os5d7xy6yxa._file
Verdict:
malicious
Similar samples:
0e312eccc907155b510e531e9519ede3e44ee79a67cb5dba0f3a0c39e9a3d083
RaccoonStealer
414a14294a3c88613f1480a69fa0d7cf3dfbb83eedd5ef0acc3ad39f6e01ee65
RaccoonStealer
4773c7c5c52d0163bfa32cb271399692831e00ff7e6877f0877091e111c9f063
RaccoonStealer
83e4ae7f04653b03a31836d92b1d70b1d9264a2fe7a4570cf39f4be1bf134e2b
RaccoonStealer
8653a11ee811265418a3b6f12945c585b77aea72f02b2d80f481c1100d895299
RaccoonStealer
afc7d530c112b47cd33295262f533df60f12568ede477091434381b0d6a2cc8c
RaccoonStealer
d11342ce9c7550e129e455126cb6373145ea86ae5ee777a652205541ef4cec2c
RaccoonStealer
d9040bf8ad755cd41dc6266c0e0049f4bac0eaa23f18a26931357fe21c719701
RaccoonStealer
e4b26e2c09188228c4db16281887a17e90baaf95c7b691fa75d05af9f79ff20a
RaccoonStealer
f6083599947328d2637adb3cb9810fefd0d9195c504dc2e081fcfca776090c2b
RaccoonStealer
+ 6'328 additional samples on MalwareBazaar
Result
Malware family:
guloader
Create hunting rule
Score:
  10/10
Tags:
family:guloader downloader
Link:
https://tria.ge/reports/211011-j1ky5sgfdq/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks QEMU agent file
Guloader,Cloudeye
Unpacked files
SH256 hash:
49b04162c412105ab0857de16713724cbf3234a0b6ba51f3a5286312633f20c3
MD5 hash:
1f1b425190b2fb0396ad2d538b1060ba
SHA1 hash:
413f98641d46fdcabfcaf64f29495667de6282ea
Link:
https://www.unpac.me/results/b9821b17-e18f-4147-92a6-a0fbebc97762/
SH256 hash:
ae4d46e3c772093c5ad9ee27e412f11e6be6923a1efeca80b1dba5d1fef8f62e
MD5 hash:
5ffe281957d81c218b5851ea276ed82b
SHA1 hash:
0fce1d74469b880820c8e6b2d52e4e0a206ee795
Link:
https://www.unpac.me/results/b9821b17-e18f-4147-92a6-a0fbebc97762/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ae4d46e3c772093c5ad9ee27e412f11e6be6923a1efeca80b1dba5d1fef8f62e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RaccoonStealer

Executable exe ae4d46e3c772093c5ad9ee27e412f11e6be6923a1efeca80b1dba5d1fef8f62e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1597404/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/196512/

Comments